fixes for Android OS
Rewrite detection of /dev/ptmx and use device on android.
Replace bionic stubs ttyname and ttyname_r with working implementation.

builds with upcoming OpenSSL 1.1
The version builds fine with current(master branch) versions of OpenSSL library.
For alpha version you should rename EVP_CIPHER_CTX_get_cipher_data to EVP_CIPHER_CTX_cipher_data, i.e. without _get.

pkcs11 module support EC keys
PKCS11 module could use EC based X.509 certificates and keys either from
command line (ssh -I argument) for from agent (loaded with ssh-add -s ...).
PKCS11 engine is still supported but current implementation can not be used
in all possible OpenSSL configurations.

improved support of pkcs11 module
Use context extra data specific to ssh to avoid clash with default context.
Note that default context could be used by OpenSSL library itself.
RSA method is based exactly on OpenSSL RSA method not default one.
Note that default RSA method could be provided by loadable cryptographic module(engine).

builds with upcoming OpenSSL 1.1
It could be build with 1.1 alpha 1,2 and 3 versions of OpenSSL library.

LDAP tests for Solaris
Note that build with OpenLDAP is supported only.

includes openssh 7.2p1
You could build with define EXPERIMENTAL_RSA_SHA2_256 to enable experimental
support for rsa-sha2-256 and rsa-sha2-512 public key algorithms.
Note that those algorithms are be managed yet with options like PubkeyAlgorithms or HostbasedAlgorithms.

builds with upcoming OpenSSL 1.1
OpenSSL version 1.1 is major change of API - almost all structures are opaque.
Application has to use accessors functions to manipulate structure attributes.
Note that OpenSSL library is in alpha stage.
Version 8.7 of PKIX-SSH is first version that builds with OpenSSL 1.1.
It could be build with OpenSSL aplha versions 1.1.0-pre1 and 1.1.0-pre2 and regression tests pass.

support for ssh-dss in client
Previous version does not keep properly support for ssh-dss in list announced by client to server.
This version completely restore ssh-dss in client including dump of configuration.

support for ssh-dss
Public key algorithm ssh-dss is defined as required for secure shells.
For compatibility with commercial implementations PKIX-SSH will continue to support it in default configuration .

portability fixes
Precise autoconf macros that detect supported compiler and linker flags
to minimize impact over detection process from flags specified by user.
As result of correction GNU C compiler flag like -fPIE and linker -pie should be detected.
This could impact linking with FIPS enabled OpenSSL library.
In such case you could configure with --without-pie.
Minimize undefined functions - result of some optimizations in included headers.
Proper implementation of statvfs and fstatvfs for Android and perhaps other platforms.

pattern matching for public key algorithms
Reimplementation of pattern matching added for first time in 8.3.
Now options PubkeyAlgorithms and HostbasedAlgorithms accept patterns for X.509 key algorithms.

allowed algorithms, match block and privilege separation
Integration of some compatibility options in 8.3 adds regression in options
PubkeyAlgorithms and HostbasedAlgorithms - values from match
block are not transferred properly to privilege process.
Integration of compatibility options is revised in 8.3.1.

some improvements from base

regression test
Updated to use more generic names for distinguished name items.

Version 8.3 includes OpenSSH 6.8p1
Continue refactoring of key-related functions to be more library-like.
Minimum supported OpenSSL version is 0.9.7.

pattern in allowed algorithms
Version 5.4 published on 24 November 2004
(for more details see news archives),
implement for first time new server options PubkeyAlgorithms and HostbasedAlgorithms
to restrict allowed protocol version 2 algorithms in public-key or host-based authentication.
Also PubkeyAlgorithms is available in client.
With version 8.2 format is changed to accept wildcard pattern with default value *,
i.e. allowed all algorithms.
Note that wildcard pattern format is backward compatible with previous lists.
For consistency version 8.2 adds new client option - HostbasedAlgorithms.
The default value of client options is *, i.e. allowed all algorithms.
Both client options also support pattern matching.

OpenSSL engine support
With code refactoring of key-related functions to be more library-like in version 8.2
broke engine support.
Now code of engine related functions is refactored and support is restored.

Portability
This version adds some portability improvements for born shell scripts
used in regression tests.

Version 8.2 includes OpenSSH 6.7p1
OpenSSH 6.7p1 refactor key-related functions to be more library-like.
Also OpenSSH 6.7p1 drop TCP-wrappers and adds requires at lest
OpenSSL 0.9.8f to build.

Minimum OpenSSL version - 0.9.7
PKIX-SSH drop support for OpenSSL 0.9.6.
It continue to support OpenSSL 0.9.7 and all 0.9.8 with wrapper functions
for missing or buggy functionality.
Note that engine functionality in OpenSSL 0.9.7 is not so stable
and in some host configurations load of OpenSSL engines may fail.

TCP-wrappers support
PKIX-SSH continue to support TCP-wrappers.

Support ECDSA X.509 keys in agent
Unfortunately version 8.1 was released without support in agent.
Version 8.2 correct this mistake.

Portability fixes
Correction is in regression tests to use more portable command invocation.
Also detection of "unix" netcat in multiplex tests is improved.
Now tests pass on solaris.
Note that netcat commands used in linux distributions does not fulfill
yet requirement of multiplex regression test.

How to build with FIPS enabled OpenSSL on Solaris 11
PKIX-SSH pass all test on Solaris 11 using FIPS enabled OpenSSL
with following configuration:

remove EVP_dss1raw as does not work with OpenSSL 1.0.2 in FIPS mode
OpenSSL 1.0.2 does not export any more FIPS EVP structures.
This impact custom implemenation of EVP_dss1 with signature encoding according SSH norms.
In version 8.1 EVP_MD struture dss1raw is replaced with wraper for OpenSSL methods EVP_SignFinal
and EVP_VerifyFinal that recode signature according SSH norms.

support fipscheck library
Red Hat-and Red Hat based distribution like CentOS use own FIPS validated OpenSSL implementation and
own process for verification if FIPS mode based of fipscheck library.

restore arc4random in FIPS mode
Unfortunately replacement of of RC4 based arc4random* functions in version 7.8 based on OpenSSH 6.5p1 does
not follow previous rules. Regression is corrected in this version 8.1 based on OpenSSH 6.5p1.

ssh-keysign avoid dependency from "X.509 store" objects
Now dependencies of ssh-keysign to external libraries are minimized.

search know host file by key subtype
Search for host keys in know host file is enhanced to take into account curve used for EC keys.

Implementation of x509v3-ecdsa-sha2-* keys
Version 8.0 start to support of x509v3-ecdsa-sha2-* public key algorithms
as described in [RFC6187].
You could use configure with --enable-x509v3-ecdsa to enable by default
support of those keys.
For public key algorithms defined in [RFC6187] identity file
has to contain X.509 certificate that match private key and
chain of certificates leading to a trusted certificate authority.

engine and OpenSSL 1.0.1g
Since OpenSSL version 1.0.1g engines are register internally as result
engine support was broken due to attempt to register again.
Now pkix-ssh durring engine initialization check whether an engine is
registered internally before to request its registration.